Mitigation: TLS Protocols

Starting with the .NET Framework 4.6, the System.Net.ServicePointManager and System.Net.Security.SslStream classes are allowed to use one of the following three protocols: Tls1.0, Tls1.1, or Tls 1.2. The SSL3.0 protocol and RC4 cipher are not supported.

Impact

This change affects:

Mitigation

The recommended mitigation is to upgrade the sever-side app to Tls1.0, Tls1.1, or Tls 1.2. If this is not feasible, or if client apps are broken, the AppContext class can be used to opt out of this feature in either of two ways:

  • Programmatically, by using a code snippet like the following:

    const string DisableCachingName = @"TestSwitch.LocalAppContext.DisableCaching";
    const string DontEnableSchUseStrongCryptoName = @"Switch.System.Net.DontEnableSchUseStrongCrypto";
    AppContext.SetSwitch(DisableCachingName, true); 
    AppContext.SetSwitch(DontEnableSchUseStrongCryptoName, true); 
    
    Const DisableCachingName As String = "TestSwitch.LocalAppContext.DisableCaching"
    Const DontEnableSchUseStrongCryptoName As String = "Switch.System.Net.DontEnableSchUseStrongCrypto"
    AppContext.SetSwitch(DisableCachingName, True)
    AppContext.SetSwitch(DontEnableSchUseStrongCryptoName, True)
    

    Because the ServicePointManager object is initialized only once, defining these compatibility settings must be the first thing the application does.

  • By adding the following line to the <runtime> section of your app.config file:

    <AppContextSwitchOverrides value="Switch.System.Net.DontEnableSchUseStrongCrypto=true"/>  
    

Note, however, that opting out of the default behavior is not recommended, since it makes the application less secure.

See also